b'Highlights\nTable of Contents\n\n\n\n\n                    eCommerce\n                    Customer\n                    Registration\nFindings\nRecommendations\n\n\n\n\n                    Audit Report\n                    Report Number\n                    IT-AR-14-008\n\n                    August 15, 2014\nAppendices\n\n\n\n\n                                      Print\n\x0cHighlights\nTable of Contents\n\n\n\n\n                    Highlights                          Background                                                        Of the four applications, Click-N-Ship\xe2\x80\x99s credit card fraud-related\n                                                                                                                          loss of $4.6 million was above the industry\xe2\x80\x99s recommended\n                                                        The U.S. Postal Service\xe2\x80\x99s Customer Registration application\n                                                                                                                          threshold for acceptable levels of credit card fraud in FY 2013.\n                                                        allows customers to create accounts through USPS.com to\n                                                                                                                          In addition, management did not always ensure all credit card\n                         Effective management and       purchase products and services through over 40 eCommerce\n                                                                                                                          company chargebacks were validated.\n                                                        applications such as Every Door Direct Mail, Premium\nFindings\n\n\n\n\n                       technical controls are needed    Forwarding Service, Click-N-Ship, and the Postal Store.           Further, seven of the eight Customer Registration controls\n                                                        Customers must provide personally identifiable information        we tested worked as management intended. However, we\n                     to strengthen oversight, further   to create an account. There were over 24 million Customer         identified one vulnerability that could permit a cyber criminal to\n                                                        Registration users as of June\xc2\xa02014 and revenue totaled about\n                              reduce fraud-related                                                                        impersonate a valid user and obtain postage using stolen credit\n                                                        $1.2\xc2\xa0billion in fiscal year (FY) 2013.                            card data. Finally, we did not identify any critical or high-risk\n                       credit card chargebacks, and                                                                       vulnerabilities when conducting over 3,000 additional tests of\n                                                        Our objective was to determine the effectiveness of controls\n                                                                                                                          the USPS.com login page.\n                       prevent a cyber criminal from    used to safeguard the eCommerce Customer Registration\nRecommendations\n\n\n\n\n                                                        process and reduce online credit card fraud.\n                     obtaining postage using stolen                                                                       What the OIG Recommended\n                                  credit card data.     What the OIG Found                                                We recommended management establish a threshold for credit\n                                                                                                                          card fraud and develop a policy defining chargeback roles and\n                                                        Controls used to safeguard the eCommerce Customer\n                                                                                                                          responsibilities.We also recommended management maintain\n                                                        Registration process and reduce online credit card fraud need\n                                                                                                                          chargeback research results from all eCommerce managers\n                                                        improvement. Management has not established a threshold for\n                                                                                                                          and configure eCommerce applications to prevent the noted\n                                                        fraud-related chargebacks (transactions rejected by credit card\n                                                                                                                          security vulnerability.\n                                                        companies) for the four eCommerce applications in our review.\n                                                        As a result, management cannot objectively measure when to\n                                                        increase oversight and controls to reduce fraud.\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                  Print                                    1\n\x0cHighlights\n                    Transmittal Letter\n\n\n                                                      August 15, 2014\nTable of Contents\n\n\n\n\n                                                      MEMORANDUM FOR:\t NAGISA M. MANABE\n                                                      \t\t\t\t             EXECUTIVE VICE PRESIDENT, CHIEF MARKETING\n                                                      \t\t\t\tAND SALES OFFICER\n\n                                                      \t\t\t\tSCOTT G. DAVIS\n                                                      \t\t\t\tACTING VICE PRESIDENT, CONTROLLER\n\n                                                      \t\t\t\t                       JOHN T. EDGAR\n                                                      \t\t\t\t                       VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n                                                      \t\t\t\t                       KELLY M. SIGMON\n                                                      \t\t\t\t                       VICE PRESIDENT, RETAIL CHANNEL OPERATIONS\n\n                                                      \t\t\t\tELIZABETH M. SCHAFER\nFindings\n\n\n\n\n                                                      \t\t\t\t TREASURER, CORPORATE TREASURY\n\n\n\n\n                                                      \t\t\t\t\n                                                      FROM: \t\t\t John E. Cihota\n                                                      \t\t\t\tDeputy Assistant Inspector General\nRecommendations\n\n\n\n\n                                                      \t\t\t\t       for Financial and Systems Accountability\n\n                                                      SUBJECT: \t\t\t               Audit Report \xe2\x80\x93 eCommerce Customer Registration\n                                                      \t\t\t\t                       (Report Number IT-AR-14-008)\n\n                                                      This report presents the results of our audit of eCommerce Customer Registration\n                                                      processes and controls (Project Number 13BG018IT000).\n\n                                                      We appreciate the cooperation and courtesies provided by your staff. If you have any\n                                                      questions or need additional information, please contact Sean Balduff, acting director,\n                                                      Information Technology, or me at 703-248-2100.\n\n                                                      Attachment\nAppendices\n\n\n\n\n                                                      cc:\t   Corporate Audit and Response Management\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                           Print                2\n\x0cHighlights\n                    Table of Contents\n                                                      Cover\n                                                      Highlights.......................................................................................................1\n                                                       Background.................................................................................................1\n                                                       What the OIG Found...................................................................................1\n                                                       What the OIG Recommended.....................................................................1\nTable of Contents\n\n\n\n\n                                                      Transmittal Letter...........................................................................................2\n                                                      Findings.........................................................................................................4\n                                                       Introduction.................................................................................................4\n                                                       Conclusion..................................................................................................5\n                                                       Threshold for Chargebacks.........................................................................5\n                                                       Management of Chargeback Disputes........................................................7\n                                                       Customer Registration Controls..................................................................9\n                                                      Recommendations......................................................................................10\n                                                       Management\xe2\x80\x99s Comments........................................................................10\nFindings\n\n\n\n\n                                                       Evaluation of Management\xe2\x80\x99s Comments.................................................. 11\n                                                      Appendices..................................................................................................13\n                                                       Appendix A: Additional Information...........................................................14\n                                                         Background ...........................................................................................14\n                                                         Objective, Scope, and Methodology.......................................................15\n                                                         Prior Audit Coverage..............................................................................15\nRecommendations\n\n\n\n\n                                                       Appendix B: Customer Registration Controls Test Results.......................16\n                                                       Appendix C: Summary of Chargebacks....................................................18\n                                                       Appendix D: Management\xe2\x80\x99s Comments...................................................19\n                                                      Contact Information.....................................................................................29\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                Print                      3\n\x0cHighlights\n                    Findings                          Introduction\n                                                      This report presents the results of our self-initiated audit of eCommerce Customer Registration (Project Number 13BG018IT000).\n                                                      Our objective was to determine the effectiveness of controls used to safeguard the eCommerce Customer Registration process\n                                                      and reduce online credit card fraud. See Appendix A for additional information about this audit.\n\n                                                      Customers use the Customer Registration application to register accounts through USPS.com.1 These accounts give them access\n                                                      to the U.S. Postal Service eCommerce applications such as Click-N-Ship,2 Every Door Direct Mail (EDDM),3 Premium Forwarding\n                                                      Service (PFS),4 and the Postal Store,5 and allow them to purchase products and services through the Internet using a major credit\nTable of Contents\n\n\n\n\n                                                      card.6 There were over 24 million Customer Registration users as of June 2014. To create an account, customers must enter\n                                                      personally identifiable information such as name, address, and telephone number. To purchase products and services, customers\n                                                      also provide their credit card data.7\n\n                                                      Credit card fraud carried out through an eCommerce application, such as Customer Registration, often starts with a cyber criminal8\n                                                      successfully applying for a new account, or taking over an existing account by circumventing identity-proofing techniques.9 In\n                                                      January 2013, management detected a high volume of automated, unauthorized attempts to log into Customer Registration\n                                                      application accounts. After further analysis, management determined that cyber criminals obtained stolen credit card data from\n                                                      unknown sources outside the Postal Service. They also accessed existing Postal Service accounts and created fictitious Customer\n                                                      Registration accounts to purchase domestic and international shipping labels10 from Click-N-Ship. Affected credit cardholders\n                                                      alerted their credit card issuers11 to report their credit card data had been stolen and used to make unauthorized purchases. The\n                                                      issuer then generated chargebacks12 that resulted in a financial loss to the Click-N-Ship program management office.13 As a result,\nFindings\n\n\n\n\n                                                      the January 2013 Click-N-Ship credit card chargebacks related to fraud increased 122 percent (from $266,762 to $594,408) over\n                                                      those recorded for September 2012.14 Additionally, management identified minimal credit card fraud in the Postal Store, EDDM,\n                                                      and PFS applications. See Appendix C for additional information.\n\n                                                      In January 2013, management began implementing additional controls to reduce fraudulent activity.15 Click-N-Ship credit card\n                                                      chargebacks declined as the new controls were implemented; however, continuous assessment of Customer Registration controls\n                                                      and a detailed knowledge of current cyber threats are some of the measures needed to continuously combat cyber criminal\nRecommendations\n\n\n\n\n                                                      activity.\n\n\n\n\n                                                      1\t Provides various tools for customers to ship at any time, as well as help control home, business, or Post Office Box\xe2\x84\xa2 mail delivery with easy-to-use links.\n                                                      2\t Enables customers to create pre-paid shipping labels for certain mail classes using the customer\xe2\x80\x99s personal computer and printer.\n                                                      3\t Enables businesses to send advertising mail to their desired audience without acquiring an address list or printing specific names and addresses on mailpieces.\n                                                      4\t Provides the ability for customers to forward their mail from their permanent address to a temporary address.\n                                                      5\t Enables customers to easily purchase products online such as stamps, supplies, gifts, and collectibles.\n                                                      6\t Visa, MasterCard, Discover, and American Express. Customers may also use PayPal to purchase Click-N-Ship products.\n                                                      7\t Customers are redirected to the            Payment application to enter their credit card data when making a purchase.\n                                                      8\t An individual who commits cyber crimes using the computer as a tool, a target, or both.\n                                                      9\t Identity-proofing techniques include a layer and risk-based approach that provides assurance of identity verification.\n                                                      10\t Many of these labels were placed on packages used as part of reshipping schemes, where stolen or illegally obtained goods were shipped to overseas destinations.\nAppendices\n\n\n\n\n                                                      11\t The issuer provides credit cards and contracts with its cardholders for billing and payment of transactions.\n                                                      12\t Chargebacks occur when the bank debits the Postal Service for a previously settled credit or debit card transaction. The most common reasons for chargebacks include\n                                                          customer disputes, fraud, processing errors, and authorization issues.\n                                                      13\t The issuer reversed the chargebacks the Postal Service successfully disputed.\n                                                      14\t September 2012 represents the lowest recorded fraud-related chargeback period in fiscal year (FY) 2012.\n                                                      15\t Examples of Customer Registration controls implemented since January 2013 include disabling accounts when users attempt to change their account profile more than\n                                                          five times a day and detection of cyber criminals who use scripts to create numerous accounts within a short timeframe.\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                           Print                                                 4\n\x0cHighlights                                              Conclusion\n                        The Postal Service incurred     Controls used to safeguard the eCommerce Customer Registration process and reduce online credit card fraud need\n                                                        improvement. Management did not establish a specific threshold for expected fraud-related chargebacks for Click-N-Ship, EDDM,\n                           Click-N-Ship credit card     PFS, and the Postal Store. Specific thresholds were not established because the Click-N-Ship manager believed the existing\n                                                        controls were sufficient and EDDM, PFS, and Postal Store managers thought the minimal chargebacks in their programs did not\n                             fraud-related losses of    warrant establishing thresholds. Although we agree chargebacks for EDDM, PFS, and the Postal Store were minimal for the period\n                    $4.6 million in FY 2013 exceeding   we reviewed, management needs a threshold to objectively measure whether fraud chargebacks reach an unacceptable level or\n                                                        effectively gauge when to escalate oversight and preventative controls to reduce credit card fraud. A threshold would also help\nTable of Contents\n\n\n\n\n                      the industry best practice by a   management determine whether the costs of controls implemented to prevent fraud outweigh the benefits.\n\n                               total of $2.8 million.   The Postal Service incurred Click-N-Ship credit card fraud-related losses of $4.6 million in FY 2013.16 This exceeded the industry\n                                                        best practice of 0.35 percent of revenue17 by a total of $2.8\xc2\xa0million.\n\n                                                        Additionally, we determined the program managers for PFS and EDDM did not research chargebacks related to their programs.\n                                                        Furthermore, Eagan Accounting Services did not maintain records needed to monitor, account for, and ensure timely receipt of the\n                                                        program manager\xe2\x80\x99s research results because there are no standard operating procedures explaining the roles and responsibilities\n                                                        for these functions. Without performing this research and maintaining the results, the Postal Service is at risk for monetary loss\n                                                        from the sale.18\n\n                        A threshold for eCommerce       Furthermore, we determined seven of the eight Customer Registration controls we tested worked as management intended;\nFindings\n\n\n\n\n                                                        however, we identified one security vulnerability that could permit a cyber criminal to impersonate a valid user and obtain postage\n                           application fraud-related\n                                                        using stolen credit card information.19 We did not identify any critical or high-risk vulnerabilities when conducting over\n                           credit card chargebacks      3,000 additional tests of the USPS.com login page.\n\n                              was not established.      Threshold for Chargebacks\n                                                        Program managers did not establish a specific threshold for expected fraud-related chargebacks for Click-N-Ship, EDDM, PFS,\n                                                        and the Postal Store. Industry best practice20 recommends establishing thresholds that escalate incidents of fraud to higher levels\nRecommendations\n\n\n\n\n                                                        of management visibility. Our research found the recommended threshold was 0.35\xc2\xa0percent of revenue for fraudulent credit card\n                                                        chargebacks associated with \xe2\x80\x9ccard not present\xe2\x80\x9d purchases.21\n\n                                                        Click-N-Ship management believed the existing controls were sufficient and EDDM, PFS, and Postal Store managers thought a\n                                                        threshold was not warranted because chargebacks were minimal. Even though chargebacks for EDDM, PFS, and the\n                                                        Postal Store were minimal for the period we reviewed, management needs an established threshold for all four applications to\n                                                        objectively measure whether fraud-related chargebacks have reached an unacceptable level. Establishing a threshold would\n\n                                                        16\t Click-N-Ship chargeback amounts included 95 percent of the total MasterCard and Visa chargebacks identified as fraudulent. They also included 100 percent of American\n                                                            Express and Discover chargeback amounts because the Postal Service was unable to                                                                                      .\n                                                        17\tProvided by Gartner, Inc., a leading information technology research and advisory company.\n                                                        18\t The time required to respond to the acquirer with dispute documentation varies by credit card brand and the acquirer\xe2\x80\x99s internal procedures. Historically, for Visa\nAppendices\n\n\n\n\n                                                            chargebacks, Eagan Accounting Services had to respond to the acquirer in 7 to 10 days.\n                                                        19\t We tested three additional controls; however, the results were inconclusive. This was a result of an existing compensating control that limits the number of times a user\n                                                            can edit his or her profile (five times per day). This control is in place because numerous changes to a user\xe2\x80\x99s account profile are an indicator of a user with malicious\n                                                            intentions.\n                                                        20\t Managing the Business Risk of Fraud: A Practical Guide, sponsored by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the\n                                                            Association of Certified Fraud Examiners.\n                                                        21\t Transactions in which the customer is not required to physically present the credit card (for example, online transactions).\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                               Print                                                5\n\x0cHighlights                                            allow managers to consistently gauge when to escalate oversight of the program and increase the preventative controls needed\n                                                      to mitigate fraud. A threshold would also help management determine whether the costs of controls implemented to prevent fraud\n                                                      outweigh the benefits.\n\n                                                      We reviewed the credit card chargebacks associated with purchases made through the Click-N-Ship, EDDM, the Postal Store,\n                                                      and PFS applications for FYs 2012 and 2013. Only the Click-N-Ship application incurred chargebacks over the recommended\n                                                      threshold. Figure 1 shows FYs 2012 and 2013 revenue and chargeback comparisons for Click-N-Ship. Fraud-related chargebacks\n                                                      were 0.9 percent higher in FY\xc2\xa02012 and 0.52\xc2\xa0percent higher in FY 2013 than the best practice recommended\n                                                      0.35\xc2\xa0percent threshold.\nTable of Contents\n\n\n\n\n                                                      Figure 1. Click-N-Ship Revenue and Chargeback Data\n\n                                                         Safeguard Controls for Online Fraud Need Improvement\n\n                            Hover over active areas\n                              for more information.               Click-N-Ship Revenue and Chargeback Data\n\n                                                                      Click-N-Ship                            FY 2012                            FY 2013\n\n                                                                 Revenue                                   $490,375,618                      $535,865,158\nFindings\n\n\n\n\n                                                                 Chargebacks                                 $6,137,780                         $4,686,252\n                                                                 (percentage of revenue)                     (1.25%)                            (0.87%)\n\n                                                                 Best Practice Threshold\n                                                                                                              $1,716,315                         $1,875,528\n                                                                 (0.35 percent of revenue)\nRecommendations\n\n\n\n\n                                                                 Chargeback Variance\n                                                                                                              $4,421,465                         $2,810,724\n                                                                 >0.35 percent of revenue\n\n\n                                                                 FY 2012/2013 Chargeback Variance Total                                          $7,232,189\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                              Print                                    6\n\x0cHighlights                                            Management of Chargeback Disputes\n                                                      Managers from Eagan Accounting Services and the program management offices for Click-N-Ship, EDDM, and PFS did not\n                                                      effectively manage all credit card chargeback disputes. Postal Service policy22 states that responses to chargebacks should\n                                                      occur immediately after a request from the financial institution or the Postal Service will incur the expense of the sale. Untimely\n                      Chargeback disputes were not    responses occurred because there is no standard operational procedure explaining the roles and responsibilities for effective\n                                                      management of these chargeback disputes for all parties involved. Timely responses to chargeback inquiries are needed to assist\n                                properly managed.     Eagan Accounting Services in providing the acquirer23 compelling evidence that certain chargebacks are not valid; otherwise, the\n                                                      program office\xe2\x80\x99s budget is at risk for monetary loss from the sale. Click-N-Ship credit card fraud resulted in sales losses of\nTable of Contents\n\n\n\n\n                                                      $6.1 million in FY 2012 and $4.6 million in FY 2013.\n\n                                                      The Finance Branch, Eagan Accounting Services, provided a daily list of the credit card chargebacks to all of the program\n                                                      managers;24 however, program managers for Click-N-Ship, PFS, and EDDM did not use this information to research the\n                                                      chargebacks and did not provide the documented proof to Eagan Accounting Services that it needed to dispute any chargebacks.\n                                                      Management indicated program managers were not trained to perform this function. In addition, the program manager for\n                                                      Click-N-Ship stated he was not aware of the requirement to communicate the results to Eagan Accounting Services. Further,\n                                                      Eagan Accounting Services did not maintain records needed to monitor and ensure timely receipt of program managers\xe2\x80\x99\n                                                      chargeback research results.\nFindings\nRecommendations\nAppendices\n\n\n\n\n                                                      22\t Postal Service Handbook F-101, Field Accounting Procedures, Section 9-2.8, October 2013.\n                                                      23\t The merchant\xe2\x80\x99s (Postal Service\xe2\x80\x99s) bank.\n                                                      24\t The list of credit card chargebacks is provided daily unless there are no chargebacks.\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                     Print                              7\n\x0cHighlights                                            See Figure 2 for a flowchart describing the chargeback lifecycle. See Appendix C for a summary of chargeback amounts for\n                                                      FYs 2012 and 2013.\n\n                                                      Figure 2. Chargeback Lifecycle24\nTable of Contents\n\n\n\n\n                                                      Figure 1. Chargeback Lifecycle25\nFindings\nRecommendations\nAppendices\n\n\n\n\n                                                      Source: VISA \xe2\x80\x93 Chargeback Management Guidelines for Visa Merchants, 2011.\n\n\n\n\n                                                      25\t This diagram is a generic representation of the Visa chargeback lifecycle.\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                             Print                               8\n\x0cHighlights                                              Customer Registration Controls\n                                                        Our test of eight selected Customer Registration security controls demonstrated that seven controls were working as intended.\n                                                        Furthermore, we used software26 that performed over 3,000 tests of the USPS.com login page and did not identify any critical or\n                                                        high-risk vulnerabilities.27 See Appendix C for complete results of our tests and information about the controls we tested.\n\n                                                        Examples of controls that work as management intended include the following:\n                     Customer Registration security\n                                                        \xe2\x96\xa0\xe2\x96\xa0 Customer Registration users are limited to three login attempts. This control is in place to help prevent cyber criminals from\nTable of Contents\n\n\n\n\n                          controls were working as         successfully guessing an account holder\xe2\x80\x99s password. Customer Registration accounts are locked after the third login attempt.\n                                                           To unlock the account, the user may call the Customer Registration Help Desk, use the \xe2\x80\x9cI Forgot My Password\xe2\x80\x9d feature by\n                        intended with the exception        answering secret questions, or wait 24 hours and try again.\n                      of one vulnerability that could\n                                                        \xe2\x96\xa0\xe2\x96\xa0 Changes to user profiles are limited to five per day. This control is in place because numerous changes to a user\xe2\x80\x99s account\n                     allow a cyber criminal to obtain      profile indicate a user with malicious intentions. If a user needs to change his or her profile after exceeding the daily limit, the\n                                                           user can call the Help Desk and answer his or her secret questions and may be granted an override (one time in 24 hours).\n                              postage using stolen\n                                                        While most security controls we tested were working as intended, we identified one security vulnerability that may permit a\n                            credit card information.\n                                                        cyber criminal to impersonate a valid user and obtain postage using stolen credit card information.28 Specifically, two\n                                                                  related to the Click-N-Ship and the Postal\xc2\xa0Store applications were not configured to safeguard the            information\n                                                        from unauthorized disclosure and modification. Although management was aware of the vulnerability in 2012, they did not take\nFindings\n\n\n\n\n                                                        corrective action because they prioritized their efforts by addressing high and medium risks first.\nRecommendations\n\n\n\n\n                                                        26\t We used Hewlett-Packard (HP) WebInspect to perform these tests.\nAppendices\n\n\n\n\n                                                        27\t Using HP WebInspect, we were able to thoroughly test the USPS.com login page, but the limit of five edits to the Customer Registration profile per day prevented us from\n                                                            performing any useful tests on the Customer Registration web pages.\n                                                        28\t In 2012, an outside vendor reported this as a low-risk finding and recommended addressing this vulnerability. Although there is a small probability of an exploit, the impact\n                                                            could be great.\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                                  Print                                                 9\n\x0cHighlights\n                    Recommendations                   We recommend the executive vice president, chief Marketing and Sales officer, in coordination with the vice president, Retail\n                                                      Channel Operations, direct the program managers for Click-N-Ship, Every Door Direct Mail, Premium Forwarding Service, and the\n                                                      Postal Store to:\n\n                                                      1.\t Establish thresholds for acceptable levels of credit card fraud for their program areas to help determine when escalation of\n                                                          oversight and additional controls are needed.\n\n                                                      We recommend the treasurer, Corporate Treasury, in coordination with the acting vice president, Controller, direct the manager,\n                                                      Banking, to coordinate with the manager, Accounting Services, to:\nTable of Contents\n\n\n\n\n                                                      2.\t Create standard operating procedures documenting the roles and responsibilities for all program offices responsible for\n                                                          managing chargebacks and Eagan Accounting Service\xe2\x80\x99s responsibility for monitoring and obtaining timely receipt of program\n                                                          managers\xe2\x80\x99 chargeback research results.\n\n                                                      We recommend the vice president, Information Technology, direct the manager, Business Relationship Management, to:\n\n                                                      3.\t Eliminate the identified security vulnerability concerning               on all Customer Registration integrated applications.\n\n                                                      Management\xe2\x80\x99s Comments\n                                                      Management partially agreed with the findings in our report, and agreed with recommendations 2 and 3. Management disagreed,\nFindings\n\n\n\n\n                                                      in part, with recommendation 1 and disagreed with the monetary impact.\n\n                                                      Regarding recommendation 1, management agreed with the mathematical calculations performed. However, they disagreed\n                                                      with the metric (.35 percent ratio) provided by an industry expert to determine monetary impact as stated in the report, and cited\n                                                      ratios from other sources that could be used. Management also disagreed with the recommendation because their eCommerce\n                                                      programs have a goal of zero percent for fraudulent chargebacks. Management is currently enhancing their fraud detection\n                                                      activities and will begin sending a monthly fraud/chargeback report to senior management by December 31, 2014.\nRecommendations\n\n\n\n\n                                                      Regarding recommendation 2, management will create standard operating procedures documenting the roles and responsibilities\n                                                      for all program offices responsible for managing chargebacks and Eagan Accounting Service\xe2\x80\x99s responsibility for monitoring and\n                                                      obtaining timely receipt of program manager\xe2\x80\x99s chargeback research results. Chargeback research will be contingent on the results\n                                                      of a future cost benefit analysis, targeted for completion by March 31, 2015.\n\n                                                      Regarding recommendation 3, management advised that they eliminated the identified security vulnerability concerning\n                                                               The last set of corrections was completed for all applicable applications on May 12, 2014. Management did take\n                                                      exception to how we portrayed the severity of the                  vulnerability, noting that evaluation and assessments rated this\n                                                      as a low vulnerability.\n\n                                                      Management disagreed with the amount of monetary impact because of subsequent consultation they obtained from an\nAppendices\n\n\n\n\n                                                      independent source indicating a higher level of acceptable credit card fraud. Also, management does not agree entirely with the\n                                                      amount of chargebacks classified as fraudulent.\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                  Print                                     10\n\x0cHighlights                                            Management cited specific statements that they consider inaccurate or could be misleading. Specifically, management disagreed\n                                                      with the ratio of .35 percent of credit card sales used as an acceptable level of credit card fraud. In addition, management stated\n                                                      a portion of the criteria used was not applicable to eCommerce transactions and noted the importance of fraud prevention. They\n                                                      also stated there was not an office named \xe2\x80\x9cCorporate Treasury, Fraud and Risk Mitigation.\xe2\x80\x9d See Appendix D for management\xe2\x80\x99s\n                                                      comments, in their entirety.\n\n                                                      Evaluation of Management\xe2\x80\x99s Comments\n                                                      The OIG considers management\xe2\x80\x99s comments responsive to recommendations 2 and 3 and the corrective action proposed should\nTable of Contents\n\n\n\n\n                                                      resolve the issues identified in the report. Management cited that they have taken corrective action for recommendation 3. The\n                                                      OIG considers management\xe2\x80\x99s comments to recommendation 1 to be non-responsive.\n\n                                                      Regarding recommendation 1, we believe sending a monthly fraud/chargeback report will enhance management\xe2\x80\x99s efforts to\n                                                      reduce fraudulent chargebacks. However, we believe management\xe2\x80\x99s goal of zero percent fraud is not practical from a\n                                                      cost/benefit perspective. Although we used a threshold ratio of .35 percent of revenue for our analysis, we believe management\n                                                      should perform their own analysis to determine a reasonable threshold that would be used to help determine when escalation of\n                                                      oversight and additional controls are needed.\n\n                                                      Although management disagreed with the .35 percent ratio that we received from an industry expert and used throughout our\n                                                      report, we believe this ratio is valid. Management stated they identified a different ratio from a separate source and then confirmed\n                                                      this ratio with the same expert we used. However, we do not know the context of management\xe2\x80\x99s communications with the industry\nFindings\n\n\n\n\n                                                      expert, and management did not provide any additional evidence of this communication. Based on the objective of our audit and\n                                                      consultation with our industry expert, we continue to believe the ratio is reasonable. However, as noted in recommendation 1,\n                                                      we believe it is important for the Postal Service to establish its own threshold. We commend the Postal Service for conducting\n                                                      additional research on potential thresholds and suggest it use that research to identify a threshold that is cost beneficial to the\n                                                      Postal Service.\n\n                                                      Additionally, management stated they do not entirely agree with our monetary impact because the OIG classified 100 percent\nRecommendations\n\n\n\n\n                                                      of the American Express and Discover chargebacks as fraudulent. In the report, the OIG explained that the Postal Service was\n                                                      unable to                                                                       at the time of our audit and did not provide a basis\n                                                      for the 95 percent ratio cited in management\xe2\x80\x99s response. As a result, the OIG considers the entire amount at risk.\n\n                                                      Management also stated that our reference to Handbook F-101 is not relevant to eCommerce transactions. However,\n                                                      management did not provide us with any alternative policy. We believe the intent of the policy is relevant to disputing credit card\n                                                      chargebacks regardless of where the transaction took place. Responding immediately after a request would ensure research\n                                                      results are provided in time to meet the acquirer\xe2\x80\x99s timeframes for chargeback reversal consideration.\n\n                                                      We agree with management\xe2\x80\x99s comments about the importance of preventing fraud and believe prevention is a valuable component\n                                                      of minimizing fraud risk. It is for this reason we stress that management needs a threshold to objectively measure whether fraud\n                                                      chargebacks reach an unacceptable level or effectively gauge when to escalate oversight and preventative controls to reduce\nAppendices\n\n\n\n\n                                                      credit card fraud.\n\n                                                      Based on management\xe2\x80\x99s comments, we changed the title of the group that oversees fraud and risk mitigation from \xe2\x80\x9cCorporate\n                                                      Treasury, Fraud and Risk Mitigation\xe2\x80\x9d to \xe2\x80\x9cCorporate Treasury.\xe2\x80\x9d\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                  Print                                     11\n\x0cHighlights                                            Regarding recommendation 3, we concur that the vulnerabilities related to the                        is low. In fact, we reported that\n                                                      management had been aware of the vulnerability but did not take corrective action because they addressed high and medium risks\n                                                      first. Although the vulnerability is low, the risk that cyber criminal could impersonate a valid user and obtain postage using stolen\n                                                      credit card information remains. Since management has been aware of this vulnerability for nearly 2 years, we believed it was\n                                                      important for management to further reduce the risk, particularly in light of management\xe2\x80\x99s detection of a high volume of automated,\n                                                      unauthorized attempts to log into Customer Registration application accounts in January 2013.\n\n                                                      The OIG considers recommendation 1 significant, and therefore requires OIG concurrence before closure. Consequently, the OIG\n                                                      requests written confirmation when corrective action is completed. This recommendation should not be closed in the\nTable of Contents\n\n\n\n\n                                                      Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation that the recommendation can be closed.\n                                                      Although we believe a zero percent fraud policy is not practical from a cost/benefit perspective, we view the disagreement\n                                                      on significant recommendation 1 as unresolved but do not plan to pursue it through the formal audit resolution process. We\n                                                      understand management\xe2\x80\x99s decision to defer other corrective actions for recommendation 2 until May 2015, pending completion of\n                                                      a positive cost-benefit analysis.\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                  Print                                  12\n\x0cHighlights\n                    Appendices\n                                                        Appendix A: Additional Information...........................................................14\n                                                         Background ...........................................................................................14\n                                                         Objective, Scope, and Methodology.......................................................15\n                          Click on the appendix title    Prior Audit Coverage..............................................................................15\n                                                        Appendix B: Customer Registration Controls Test Results.......................16\nTable of Contents\n\n\n\n\n                          to the right to navigate to\n                                                        Appendix C: Summary of Chargebacks....................................................18\n                               the section content.     Appendix D: Management\xe2\x80\x99s Comments...................................................19\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                           Print                    13\n\x0cHighlights          Appendix A:                       Background\n                    Additional Information            According to a Trustwave\xc2\xae 2013 Global Security Report, the primary data type targeted by cyber criminals in 2011 and 2012\n                                                      was credit cardholder data. There is a well-established underground marketplace for stolen credit card data. Criminals purchase\n                                                      and sell this data quickly for use in fraudulent transactions. eCommerce applications were more susceptible to credit card fraud\n                                                      activities compared to in\xe2\x80\x91store purchase transactions where the credit card is presented and physical verification of identity is\n                                                      possible. This makes the Internet extremely attractive to fraud perpetrators. Determined criminals have compromised almost\n                                                      every electronic identity\xe2\x80\x91proofing technique and, unfortunately, there is no infallible solution to eliminating all fraudulent schemes\n                                                      and practices. As a result, the Postal Service is challenged, as are all eCommerce businesses, with safeguarding its eCommerce\nTable of Contents\n\n\n\n\n                                                      applications from cyber criminals, identifying those involved, and determining their full intentions.\n\n                                                      Corporate Treasury, oversees fraud and risk mitigation and supports the development and implementation of strategies, policies,\n                                                      and programs for mitigating payment fraud. This office is also responsible for analyzing fraud risk, leading the implementation of all\n                                                      corporate business initiatives to identify and mitigate fraud, and coordinating with various stakeholders to reduce fraud.\n\n                                                      The Marketing Relationship Management Portfolio within Information Technology (IT), is the responsible owner of the Customer\n                                                      Registration application. This office collaborates with managers and key officials from other offices, and helps mitigate credit card\n                                                      fraud. These offices include program management offices (Click-N-Ship, EDDM, PFS, and the Postal Store), IT, the U.S. Postal\n                                                      Inspection Service, and Corporate Information Security (CIS).\n\n                                                      Eagan Accounting Services is responsible for disputing chargebacks in a timely manner. The program management offices are\nFindings\n\n\n\n\n                                                      responsible for researching chargebacks and providing supporting documentation to Eagan Accounting Services to dispute\n                                                      chargebacks. If a chargeback is not resolved, Eagan Accounting Services will expense it to the appropriate program management\n                                                      office, which considers it a loss.\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                   Print                                   14\n\x0cHighlights                                            Objective, Scope, and Methodology\n                                                      Our objective was to determine the effectiveness of controls used to safeguard the eCommerce Customer Registration process\n                                                      and reduce online credit card fraud. To accomplish our objective, we interviewed managers and key officials from Marketing\n                                                      Relationship Management, Corporate Treasury, Eagan Accounting Services, CIS, IT, and the Postal Inspection Service. We also\n                                                      interviewed program managers for Click-N-Ship, EDDM, PFS, and the Postal Store.\n\n                                                      We reviewed select Customer Registration security controls (implemented and planned) and performed manual and automated\n                                                      tests of those controls. We performed a web vulnerability assessment during our audit using HP WebInspect,30 McAfee\xe2\x80\x99s\nTable of Contents\n\n\n\n\n                                                      SSLDigger,31 and Mozilla Firefox32 to test select controls implemented in the Customer Registration application. We performed our\n                                                      tests in the Customer Acceptance Test environment at the Eagan Computer Operations Service Center.\n\n                                                      We analyzed revenue and credit card chargeback data for FYs 2010 through 2013 for the Click-N-Ship, EDDM,33 PFS, and the\n                                                      Postal Store applications. In addition, we consulted with a contractor who has expertise in the field to determine an industry-\n                                                      wide threshold for credit card fraud chargebacks. We used this data to conduct a comparative analysis of chargebacks to yearly\n                                                      revenue for each of the four applications.\n\n                                                      We conducted this performance audit from June 2013 through August 2014, in accordance with generally accepted government\n                                                      auditing standards and included such tests of internal controls, as we considered necessary under the circumstances. Those\n                                                      standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\n                                                      our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis\nFindings\n\n\n\n\n                                                      for our findings and conclusions based on our audit objective. We discussed our observations and conclusions with management\n                                                      during the week of June 16, 2014, and included their comments where appropriate.\n\n                                                      We assessed the reliability of chargeback data by collaborating and verifying the accuracy of the data with multiple managers from\n                                                      Corporate Treasury, Fraud Risk and Mitigation, and Eagan Accounting Services. We determined that the data were sufficiently\n                                                      reliable for the purposes of this report.\n\n                                                      Prior Audit Coverage\nRecommendations\n\n\n\n\n                                                      The OIG did not identify any prior audits or reviews related to the objective of this audit.\nAppendices\n\n\n\n\n                                                      30\t An automated and configurable web application security-testing tool that mimics real-world hacking techniques and attacks.\n                                                      31\t A software utility that evaluates and rates the security of Secure Socket Layer (SSL) ciphers accepted by a web server.\n                                                      32\t Mozilla Firefox is a free and open-source web browser that provides support for add-ons written by third parties that integrate with Firefox.\n                                                      33\t EDDM did not generate revenue in FY 2010 because it was not in production at that time.\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                                 Print                    15\n\x0cHighlights          Appendix B:                       Table 2 identifies eight of the 11 judgmentally selected Customer Registration security controls we tested and the results of those\n                                                      tests. Test results for three controls were inconclusive. We were able to test the Customer Registration login web page and\n                    Customer Registration\n                                                      determined that                                                                                                    did not exist on that\n                    Controls Test Results             web page; however, we were not able to determine whether these controls passed or failed on subsequent web pages. This was\n                                                      a result of an existing compensating control that limits the number of times a user can edit his or her profile to five times per day.\n                                                      While the compensating control that limited our tests would also limit a cyber criminal\xe2\x80\x99s attempt to perform the same tests, it is not\n                                                      an indicator of whether the control passed or not. For the remaining eight controls, our tests demonstrated that seven are working\n                                                      as management intended; however, we identified one that did not pass our test. We used automated tools and manual methods to\n                                                      perform these tests in the customer acceptance test environment and on the USPS.com web page.\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                    Print                                   16\n\x0cHighlights                                            Table 2. Customer Registration Controls Test Results\n\n                                                                                                                                                      Results\n                                                      No.       Controls                                                                           Passed Failed\n\n                                                                Using Firefox plug-ins1 we tested the following:\n                                                                Cookies are marked as secure\n                                                        1.                                                                                           X\n                                                                A secure cookie helps secure a user\xe2\x80\x99s identity.\nTable of Contents\n\n\n\n\n                                                        2.                                                                                                        X\n\n\n                                                                Using the SSLDigger3 tool we tested the following:\n                                                                Disable support in the web server for weak\n                                                        3.      cryptography                                                                         X\n                                                                Weak cryptography refers to weak algorithms and/or weak keys used to encrypt\n                                                                data.\n\n                                                                Using manual methods we tested the following:\n                                                                Set email address limitations\n                                                        4.      For example, limits the user\xe2\x80\x99s choice of email name to a subset of the               X\n                                                                technically valid characters.\n\n                                                                Limit attempts to edit profile to five per day\nFindings\n\n\n\n\n                                                        5.      Numerous changes to a user\xe2\x80\x99s account profile are an indicator of a user with         X\n                                                                bad intentions\n\n                                                                Lock account after three unsuccessful login attempts\n                                                        6.      When the user attempts to login three times with an incorrect password, the          X\n                                                                user\xe2\x80\x99s account is immediately locked. This control helps prevent cyber criminals\n                                                                from successfully guessing an account holder\xe2\x80\x99s password.\n\n                                                                Multiple user roles established\n                                                        7.      Customer Registration roles include Administrator, Help Desk, and Data               X\nRecommendations\n\n\n\n\n                                                                Analyst. These roles help to segregate duties and improve access controls.\n\n                                                                Enable account disabling in volume\n                                                        8.      Multiple accounts can be disabled in large quantities based on indications of        X\n                                                                fraudulent behavior/patterns.\n\n                                                                Total                                                                                7             1\n                                                      Source: OIG audit team\xe2\x80\x99s judgmental selection of controls in coordination with Marketing Relationship Management.\n                                                      1 Software that is added to existing software to increase program functionality.\n\n\n\n                                                      3 Foundstone SSLDigger is a tool to assess the strength of SSL servers by testing the ciphers supported.\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                          Print   17\n\x0cHighlights          Appendix C:                       Table 3 summarizes the revenue and chargebacks for each application under review for FYs 2012 and 2013. Click-N-Ship\n                                                      chargeback amounts include 95 percent37 of the total MasterCard and Visa chargebacks identified as fraudulent plus 100 percent38\n                    Summary of Chargebacks\n                                                      of American Express and Discover chargeback amounts. EDDM, PFS, and the Postal Store amounts represent 100 percent of the\n                                                      chargebacks for each of the four previously stated credit card brands.\n\n                                                      Table 3. Summary of Revenue and Chargebacks\n\n                                                                   FY Revenue FY Chargeback Monthly Monthly                                           Monthly\n                                                       Application (in millions) Totals     Average High                                              Low\nTable of Contents\n\n\n\n\n                                                      Click-N-Ship\n                                                      FY 2012                          $490            $6,137,781 $511,482 $798,049                       $266,762\n                                                      FY 2013                           536            4,686,252 390,521 594,408                           127,918\n                                                      Total                                          $10,824,033\n                                                      EDDM4\n                                                      FY 2012                          $299                  $249            $249            $249             $249\n                                                      FY 2013                           430                28,817            2,401          5,987              212\n                                                      Total                                               $29,066\n                                                      PFS5\n                                                      FY 2012                            $19               $ 3,427           $492          $1,402             \xc2\xa0 $15\n                                                      FY 2013                             22                15,519           1,293          2,042               823\nFindings\n\n\n\n\n                                                      Total                                               $18,946\n                                                      Postal Store                                                     \xc2\xa0              \xc2\xa0               \xc2\xa0\n                                                      FY 2012                          $244              $312,017          $26,001        $37,453          $13,928\n                                                      FY 2013                           266               282,947           23,579         42,961           12,995\n                                                      Total                                              $594,964\n                                                       Source: OIG calculations based on Eagan Accounting Services chargebacks and revenue provided by program\n                                                       managers.\n                                                       4 EDDM was placed into production in 2011; therefore, chargebacks were minimal in FYs 2011 and 2012.\nRecommendations\n\n\n\n\n                                                       5 PFS revenue included online and retail sales.\nAppendices\n\n\n\n\n                                                      37\t MasterCard and Visa identify fraudulent chargebacks. According to the Postal Service, those charges have historically been about 95 percent of all chargebacks.\n                                                      38\t We are using 100 percent of American Express and Discover chargeback amounts because the Postal Service was unable to\n                                                                                                  .\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                                                                             Print                                          18\n\x0cHighlights          Appendix D:\n                    Management\xe2\x80\x99s Comments\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   19\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   20\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   21\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   22\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   23\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   24\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   25\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   26\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   27\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                      Print   28\n\x0cHighlights\nTable of Contents\nFindings\n\n\n\n\n                                                         Contact us via our Hotline and FOIA forms, follow us on social\n                                                      networks, or call our Hotline at 1-888-877-7644 to report fraud, waste\n                                                                             or abuse. Stay informed.\nRecommendations\n\n\n\n\n                                                                            1735 North Lynn Street\n                                                                           Arlington, VA 22209-2020\n                                                                                 (703) 248-2100\nAppendices\n\n\n\n\n                    eCommerce Customer Registration\n                    Report Number IT-AR-14-008\n                                                                                                                               Print   29\n\x0c'